The increasing number of cyber attacks is causing a growing demand for cyber and information security analysts. However, as the number of cases increases, so does the amount of data to be analyzed. The work of an analyst needs to have a quick overview of what is happening and obtain all relevant infor-mation in the case. The goal of digital forensic investigation is to identify forensically significant artifacts when performing digital forensic analysis and then to confirm or refute the forensic hypothesis based on them.

Many of the artifacts obtained by acquiring individual facilities are not necessary and relevant for the investigation. Constructing a timeline of events is one of the essential steps in analyzing a piece of digital evidence [1]. The timeline can give the analyst some insight into the amount of acquired data. Based on the timeline, records can be represented using metadata in sequential chronological order. Timeline analysis is considered a vital component of any investigation, as the timing of events is almost always relevant [2].

In this paper, we focused on how to search for signifi-cant digital evidence in the Windows operating system and the relationships between them using timeline analysis. The research was explicitly limited to Windows operating system and the New technology file system (NTFS). As part of our research, we focus only on digital evidence available from the file system. The digital forensic investigators search for unusual occurrences on the forensic timelines. Current techniques require a manual search [3]. This paper focuses on the possibilities of automatically identifying unusual occurrences on the forensic timelines (digital evidence pertinent to the case) and proposes a model that identifies this digital evidence.

Identifying possible attributes of digital evidence (records in the forensic timeline) and finding relationships between them is an important research question in this area [4]. An equally important aspect is identifying relevant digital evidence for the case [3]. To summarize the problems outlined above, we emphasize the following questions that we aim to answer:

• analysis of selected attributes and their impact on the detection of relevant digital evidence for the case, and
  
  
• analysis of suitable attributes for local outlier method to identify anomalous records in a forensic timeline.

To answer these questions, we will apply Local Outlier Factor method [5]. This method of data analysis allows us to explore the anomalous records within the system. The con-tribution of this paper is the design of attributes that describe the forensic artifacts contained in the file system. Also, in this paper, we propose a new approach to automated identification of relevant forensic artifacts using these attributes as input.

This paper is structured into six sections. After the introduction, we present the related papers in Section II. Section III briefly describes the use case and outlines the dataset. Section IV presents methodology for this research. Section V provides results and discussion of attributes, aggregation functions, local outlier factor parameters, and outliers. Finally, Section VI concludes the paper and discusses the challenges for future research.